For organizations that deploy AD FS for single sign-on with Office 365, it is a http://xmasetc.com/5-revision-v1/christmas-in-the-city/tree-ornament/?p=5856 CRITICAL component just as an on-premises Active Directory infrastructure is. Whilst you may have your mailboxes hosted on Exchange Online, if your on-prem AD FS is not accessible for whatever reason, users cannot authenticate to access their mailbox.

There are a number of ways to create a highly available environment, starting with load balancing the ADFS and WAP servers in a single location, then possibly them geo load balancing across multiple datacenters and probably the best option to extending your infrastructure into Azure and implementing the AD FS farm on Azure IaaS.

Another option, and one which should be done anyway due to it costing nothing to implement, is to use the Password Synchronization feature of AAD Connect (formerly DirSync) as a disaster recovery option should your AD FS become unavailable.

Enabling Password Sync is simple (see this blog). The latest release automatically updates when a new release becomes available but this can be disables (follow this blog). Also you can force a sync if you cannot wait for the 30 min sync schedule (which is default and can be changed by following this blog).

Failover

So lets say a disaster has occurred and AD FS is unavailable. Just note this should be a disaster scenario and not because your certificate has expired or you are doing Windows Updates on the ADFS infrastructure.

Microsoft originally provided guidance on the process to temporarily failover to synchronized passwords from AD FS. However, this is awful and doesn’t work or help you in this disaster scenario. So this is how to do it the quick and easy way. The biggest issue with the Microsoft documentation is that because we have a “disaster” we cannot access our ADFS environment and therefore you cant go through that documentation and end up with the following error:

The command you need to use because the ADFS infrastructure is unavailable is: